New Adequacy Decisions for EU-US data transfers introduced
On July 10, the EU Commission adopted an adequacy decision based on the Trans-Atlantic Data Privacy Framework ("TADPF"). The Commission is satisfied that the level of protection of personal data in the United States is comparable to that in the European Union. Personal data can therefore flow freely from the EU to the US as long as the receiving company in the US participates in the TADPF. Further safeguards or alternative transfer tools, such as standard contractual clauses, are no longer required.
Under the TADPF, the U.S. has made certain concessions to the EU to improve the level of data protection. These include measures such as
- Access to personal data will be limited to what is necessary and proportionate to protect national security.
- EU data subjects will have access to a Data Protection Review Court (DPRC).
Data Protection Activists find the TADPF wanting
However, privacy activists are not satisfied. They believe the TADPF is merely a fig leaf that barely covers the glaring holes in US law. And they may have a point.
The current framework is the third attempt to create a universal mechanism for transferring data to the US. The previous two attempts, Safe Harbor and Privacy Shield, were both found wanting in many respects. As a result, the European Court of Justice (ECJ) invalidated the respective adequacy decisions. The lawsuits were brought by the well-known activist Max Schrems, who now has the distinction of having not one, but two ECJ decisions named after him: Schrems I and Schrems II.
Schrems III looming?
There is a good chance that there will also be a Schrems III ruling that invalidates the current TADPF adequacy decisions. The reason is that, to many observers, the concessions made by the US look like a band-aid applied to a missing limb:
- The U.S. surveillance infrastructure remains completely untouched and in place.
- The framework is only an executive order, not even a law, and can potentially be revoked at any time.
- Moreover, the "Data Protection Review Court" that is supposed to oversee the surveillance practices of the US intelligence agencies is itself not an independent court, but a branch of the US executive branch, basically a kind of ombudsman. How this fits in with the GDRP is hard to see.
- Finally, it is not to be expected that the DPRC will apply European standards in its decisions, but American ones. To be more clear: Which data access is "necessary and proportionate" will be decided following American standards.
Trans-Atlantic Data Privacy Framework not to create investment security
As a result, the TADPF will be in perpetual limbo, either invalidated by the ECJ or revoked by the US. Thus, there will and can be no legal certainty that it will survive.
This may not be an issue for many transfers that could easily be based on the SCC. However, it is a consideration for companies and organizations that are building infrastructures that need to last for years or even decades: think of building data centers, implementing mission-critical software frameworks, or the like. For such organizations, the only sensible option is to treat the TADPF as optional. And that means that organizations will have to
- keep databases and
- core personal data processing in the EU
- to avoid data transfers to the US.
Engity's position
We at Engity believe that the EU has failed to negotiate properly with the US. In its current form, the TADPF is a fragile construct that cannot be the basis for investment or the establishment of processes involving data transfers. The EU Commission is trying for the third time to do what it failed to do twice before, and in some ways the third attempt is even worse than the first two. This legal opinion is shared by most of the EU Parliament which asked the EU Commission not to pass the adequacy decision due to legal uncertainty.
Even if the ECJ completely reverses course and does not end the adequacy decision, the framework is under constant threat of revocation by the US, as it could easily become a bargaining chip in the fractured US domestic politics.
The TADPF is unconvincing in both: form and substance.
With headquarters and servers in Europe, Engity can offer the investment security that European companies need, regardless of how EU-US data transfer legislation may change over the years.